5 Billion Unique Credentials Circulating on Darknet

Account Takeover , Cybercrime , Fraud Management & Cybercrime

Bank Account Credentials Sell for an Average of $71, Report Finds

5 Billion Unique Credentials Circulating on Darknet Banking and financial credentials are the most common listings on darknet sites (Source: Digital Shadows)

Five billion unique user credentials are circulating on darknet forums, with cybercriminals offering to sell access to bank accounts as well as domain administrator access to corporate networks, according to the Photon Research Team at security firm Digital Shadows.

See Also: A Guide to Digital Identity Verification: The Technology & Trends

Researchers found that more than 15 billion user credentials are in circulation, of which 5 billion username and password combinations don’t have repeated credential pairs and have been advertised on underground forums only once, according to the report released this week.

“More often than not, credentials that are exposed are reposts or amalgamations of previously exposed credentials,” says Kacey Clark, a threat researcher at Digital Shadows. “Security teams that monitor for these types of issues, therefore, may well have already remediated the risk. Unique credentials, however, represent a higher risk and so are likely of greater concern for security teams.”

There’s been a 300% increase in the number of stolen credentials circulating on these underground forums since 2018. After an 18-month research effort, the researchers estimate that the credentials stem from nearly 100,000 data breaches that have taken place over the last two years, according to Digital Shadows (see: Stolen Zoom Credentials: Hackers Sell Cheap Access).

“I’m not overly surprised by the numbers,” Troy Hunt, creator of the HaveIBeenPwned breach notification service, tells Information Security Media Group. “Anecdotally, I’ve noticed a lot more credential stuffing lists in circulation recently, and just like the [COVID-19] pandemic itself, they seem to be replicating at a fierce rate.”

High-End Accounts

Cybercriminals employ a variety of techniques to carry out account takeovers. Some criminals buy credentials on darknet marketplaces, where a single account costs on average $15.43. But the more sought-after banking credentials sell for an average of $71, according to the report.

The price for access to a single bank account can exceed $500 depending on factors such as the amount of money in the account, the availability to access personally identifiable information and the account’s age, the report notes.

The advertisements for access to these types of high-end accounts comprised 25% of all advertisements on underground sites analyzed by Digital Shadows.

In addition, the researchers found that credentials for domain administrator access to corporations and government agencies, where there is potential for a complete network compromise, can be sold for as high as $140,000 if a bidding war takes place. But the average selling price is about $3,100, according to the report.

To give a potential buyer of admin credentials additional information to help make a sale, some underground forums include details such as the number of devices running on the network, how many employees work at the company and any intellectual property or sensitive documents on the system, the report states.

“Cybercriminals target the obvious goldmines of financial or internal company accounts, but they also see value in things like streaming or anti-virus accounts,” Clark tells ISMG.

For example, video game account credentials sell for as little as $2, the report notes.

Many individuals use the same credentials across multiple platforms, researchers at Digital Shadows note. This leaves users vulnerable to account takeovers by hackers implementing brute-force attacks. And the tools for such attacks can be purchased on the darknet for an average price of $4, according to the report.

Harvesting Credentials

Apart from buying credentials directly on the darknet, cybercriminals also use brute-force cracking tools and account checkers to steal information, according to the report. “Based on their descriptions, these tools can ‘crack’ accounts associated with banking, video games, e-commerce services, social media, streaming, VPN accounts and proxy services,” the report notes.

Many hackers also harvest banking credentials using Trojans, keyloggers and man-in-the-middle browser attacks, which enable them to steal the data directly from victims’ online banking portals, according to the report.

Once a hacker obtains a list of credentials, they can then buy or rent tools for credential-stuffing attacks – automated login attempts using a combination of usernames and plaintext passwords, the report notes.

The Digital Shadows researchers also note that some sites rent out identity credentials for a limited amount of time for less than $10. These sites offer not just access to compromised accounts, but also browser data, such as IP addresses, time zones and cookies, which make it easier to avoid detection, according to the report.

Cybercriminals also sometimes share credentials for free on forums to help build a sense of community, Clark says. “After someone posts a hashed data set, other forum users work on dehashing it and then post the plaintext passwords as a database.”

Managing Editor Scott Ferguson contributed to this report.

Mac Malware Primarily Infostealer, Not Ransomware

Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Malwarebytes: New Research Discloses Data Exfiltration Capability

Mac Malware Primarily Infostealer, Not Ransomware Additional research by Malwarebytes has found the EvilQuest Mac malware is not purely ransomware but primarily an info stealer that has been renamed ThiefQuest. (Photo: Getty Images)

The Mac malware originally labeled as “EvilQuest,” which researchers initially identified as a poorly designed ransomware variant, apparently is primarily an information stealer with ransomware-like elements designed to confuse security tools, according to the security firm Malwarebytes.

See Also: Live Webinar | Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response

During the initial investigation into the malware, now renamed “ThiefQuest,” researchers missed a small piece of code written in Python that can exfiltrate data from an infected system, says Thomas Reed, director of Mac and mobile at Malwarebytes (see: Ransomware Targets Mac Users).

The Python script was uncovered after Malwarebytes researchers noticed the malware making hundreds of connections to a command-and-control server and removing data that apparently had nothing to do with typical ransomware activity.

Even though ThiefQuest’s main task may not be encrypting a victim’s data, SentinelOne has released a free decryptor on Github to help any potential victims who had data encrypted by attackers.

“SentinelLabs research suggests that EvilQuest is not related to public key encryption and in fact often uses a table normally associated with block cipher RC2. Knowing this, the SentinelLabs team was able to break the EvilQuest encryption routine, unlocking files and disrupting the attack chain,” the company said in a statement.

Malwarebytes has not yet determined how many victims have been hit with ThiefQuest, Reed says.

ThiefQuest’s Activity

A closer examination of ThiefQuest reveals how the information stealer works, Malwarebytes says.

“This script scans through all the files in the /Users/ folder – the folder that contains all user data for all users on the computer – for any files having certain extensions, such as .pdf, .doc, .jpg, etc. Some extensions in particular indicate points of interest for the malware, such as .pem, used for encryption keys, and .wallet, used for cryptocurrency wallets,” Reed notes in an updated report published Tuesday.

The stolen files, which include cryptocurrency wallets and various types of keys, are collected and then uploaded to the command-and-control server through an unencrypted HTTP, according to the report.

The fact that ThiefQuest has a data exfiltration feature is not proof it is a combination ransomware/info stealer like Maze, which is used to exfiltrate data and then extort ransoms for withholding release, Reed says (see: Ransomware + Exfiltration + Leaks = Data Breach ).

“We’re not sure at this point. That’s entirely possible, but some of the information being targeted suggests the malware is interested in things like cryptocurrency wallets (direct access to funds) and a variety of keys that could be used to gain access to systems (ssh keys, for example),” he says. “Although that doesn’t rule out the possibility of extortion, it doesn’t really point the finger in that direction either.”

As noted in the original Malwarebytes report, distribution of this malware was handled through fake installers, such as for Little Snitch – a host-based application firewall for Apple macOS.

Zoom-Themed Phishing Campaign Targets Office 365 Credentials

Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Fraudsters Using Fake Account Alerts to Steal Microsoft Credentials

Zoom-Themed Phishing Campaign Targets Office 365 Credentials Spoofed Zoom alert that’s part on an ongoing phishing campaign (Source: Abnormal Security)

A recently uncovered phishing campaign is using spoofed Zoom account alerts to steal Microsoft Office 365 credentials, according to a report from security firm Abnormal Security.

See Also: Live Webinar | Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response

Using fake Zoom alerts to help disguise phishing emails comes at a time when use of the cloud-based video conferencing platform is skyrocketing due to work-from-home arrangements. A report following Zoom’s settlement with the New York state attorney general’s office over privacy and data security complaints showed that Zoom was supporting approximately 300 million meeting participants each day on its platform at the end of April, compared to about 10 million daily meeting participants in January (see: Zoom’s New York Settlement Spells Out Security Moves).

The Abnormal Security report notes that this large-scale reliance on Zoom for corporate communications is driving fraudsters and cybercriminals to use the company’s images and logos in phishing emails to give them a look of legitimacy and urgency.

“Zoom as a communications method is essential in a world under the shadow of the COVID-19 pandemic,” the researchers note in the report. “Thus, the user may rush to correct their account, click on the malicious link, and inadvertently enter credentials on this bad website.”

The researchers note that these Zoom-themed phishing emails have appeared in approximately 50,000 inboxes since the campaign started earlier this year.

Spoofed Notifications

Researchers found that fraudsters are sending victims phishing emails mimicking an automated notification from Zoom that spoofs the official Zoom corporate email address. These messages claim that the recipient will not be able to use the video conferencing platform until they click a link embedded in the email to reactivate their account, according to the report.

If the victim clicks on the malicious link embedded in the email, the user is taken to what appeared to be an Office 365 login page but was actually a malicious domain controlled by the fraudsters. The fake login page prompts the targeted victim to input their Office 365 username and password to reset their account, but the credentials are instead harvested by the fraudsters.

“Though the email impersonates the Zoom brand, the attacker is targeting the recipient’s Microsoft credentials, which can be used to access a larger trove of sensitive information,” the report notes.

Go Phish

Other phishing campaigns have also taken advantage of the new reliance on collaboration and video conferencing software to create realistic-looking messages that target at-home workers.

In April, researchers found fraudsters using spoofed messages and images from Zoom and Cisco WebEx as lures in phishing campaigns that were designed to steal credentials or distribute malware (see: Cybercriminals Using Zoom, WebEx as Phishing Lures: Report).

Credentials for Office 365 and other Microsoft products are a frequent target of these attacks. This week, a federal court granted Microsoft an injunction to seize several malicious domains that spoofed the company’s products and services as part of numerous phishing attempts (see: Microsoft Seizes Domains Used for COVID-19 Phishing Scam).

Coordinating Disclosures of Medical Device Vulnerabilities

As cyberthreats facing healthcare organizations soar, medical device maker Becton, Dickinson and Co. has ramped up its process for coordinated disclosure of vulnerabilities to help identify, assess and communicate issues to regulators and industry stakeholders, says Dana-Megan Rossi, the manufacturer’s director of information security threat and vulnerability management.

“We work hand-in-hand with security researchers and really welcome them to be part of our process – they help to make our products better,” Rossi says in an interview with Information Security Media Group.

“They help us to find things, because technology is going to age. Eventually everything is going to come to the surface where you’re going to either need to remediate or mitigate a potential vulnerability.”

Assessing Problems

BD encourages independent researchers to reach out to the manufacturer about the discovery of vulnerabilities, she notes. The company’s product security incident response team, research and development team and product quality team work closely with any researchers filing a report, she notes.

Potential security vulnerabilities are carefully assessed, she adds. “Regardless of whether or not there’s any type of patient safety issue, we’re always going to disclose and communicate within 30 days.”

BD also works with the Department of Homeland Security, the Food and Drug Administration and the Health Information Sharing and Analysis Center “to make sure we can put together a responsible disclosure that lets our customers know ‘here’s what we found, here’s what you need to know about it, and here are steps to either remediate it … or to mitigate it’.”

In this interview (see audio link below photo), Rossi also discusses:

  • Security challenges involving legacy devices;
  • The impact of COVID-19 on the cybersecurity threat landscape;
  • The state of medical device cybersecurity and areas of progress.

Rossi, an attorney, leads global information security threat and vulnerability management at BD. Her work focuses on strategic and tactical security operations and initiatives, collaborations and global programs to enhance security. She also serves as the healthcare and public health sector chief for the FBI’s InfraGard for the National Capital Region and is a member of the Cyber Health Working Group.

Cybercrime Research: For the Greater Good, or Marketing?

Cybercrime , Fraud Management & Cybercrime , Information Sharing

As Governments Underinvest in Law Enforcement, Private Firms Fill Intelligence Gap

Cybercrime Research: For the Greater Good, or Marketing?

U.S. prosecutors this week revealed a newly unsealed 2018 indictment against the alleged hacker “Fxmsp” after his identity was revealed in a cybersecurity firm’s report. That sequence of events has highlighted the importance of information sharing as well as law enforcement’s reliance on private cybersecurity researchers. And it raised questions about the line between serving the public good and a private firm’s bottom line (see: Fxmsp Probe: Feds Say Group-IB Report Forced Its Hand).

See Also: Maintain a Clear Bill of (Third-Party Risk) Health

On Tuesday, a federal judge approved a U.S. attorney’s request to unseal an indictment and arrest warrant against Kazakhstan national Andrey Turchin, 37, who’s been charged with five felony counts of computer fraud and abuse, wire fraud and access device fraud. The request was made after Turchin was named as being Fxmsp in a report published last month by Group-IB (see: Studying an ‘Invisible God’ Hacker: Could You Stop ‘Fxmsp’?).

“Research by private companies is becoming not only a tool to tackle those behind cyberattacks, but also a key marketing tool in many companies’ arsenals.” 

But prosecutors said another reason for the court documents to be unsealed is that they believe that Turchin already knew of the U.S. charges against him, including allegations that his Fxmsp operation hacked into at least 300 organizations globally, including 34 in the U.S. The Justice Department didn’t immediately respond to a request for comment about how Turchin might have known of the charges against him.

On June 23, cybersecurity firm Group-IB, which is based in Moscow but opened a global headquarters last year in Singapore, desecribed Fxmsp’s operations in a lengthy report designed to help organizations protect themselves against copycat attackers.

Geographical distribution of Fxmsp’s known victims. Note: Map doesn’t include five international firms, or eight firms for which Fxmsp listed no location. (Source: Group-IB)

Prosecutors, in their court filing, notably steer clear of denigrating the work of any cybersecurity researchers.

“Given the group’s prolific nature, sophistication, and notable victims, ‘Fxmsp’ and his accomplices, commonly referred to collectively as the ‘Fxmsp’ group, have been a subject of interest of cybersecurity researchers,” prosecutors told the court in their motion to unseal the records, which references the Group-IB report. “In addition to tracking ‘Fxmsp’s’ evolution and his group’s exploits and list of victims, this report publicly identified ‘Fxmsp’ as Andrey Turchin, of Kazakhstan, and provided a detailed explanation of the researchers’ attribution determination.”

Naming Suspected Criminals

Should Group-IB have published its detailed analysis of the hacker’s identity? To be clear, there are no rules against doing so, although attribution can be tricky.

“For security researchers, it’s a real conundrum about whether they name people because they, of course, don’t know what law enforcement operations are going on,” says cybersecurity expert Alan Woodward, a computer science professor at the University of Surrey in England. “It’s also a bit dangerous to name people anyway because, as we know, attribution is difficult.”

Group-IB tells me that one month before publishing the report, it provided it to two international law enforcement organizations to make sure that there weren’t any active investigations that they might be inadvertently impeding, and it wasn’t told to hold fire.

Information Sharing

The two law enforcement organizations, while not specified to me, were likely Interpol and Europol, both of which have FBI liaisons. Of course, that doesn’t mean that the FBI wanted to reveal any information to Group-IB about in-progress operations.

“How do I put it? The information sharing even within the law enforcement community is not always everything it could be,” Woodward says.

“I mean when they get it right it’s quite spectacular,” he adds, referring in particular to last week’s crackdown on EncroChat, the encrypted cellular network to which police gained access. That operation, led by French and Dutch law enforcement agencies, with the assistance of Europol – the EU’s law enforcement intelligence agency – and the EU Agency for Criminal Justice Cooperation, known as Eurojust, resulted in 746 arrests in Britain alone, where 10,000 of EncroChat’s 60,000 customers were based (see: European Police Hack Encrypted Communication System).

Woodward says numerous big cybersecurity firms, including organizations such as Group-IB, have advisers that communicate with him and participate in working groups run by Interpol and Europol. “But whether Europol knew what was actually happening or not, who knows?” he says, referring to the Fxmsp case, which the U.S. Justice Department this week said remains ongoing and could result in the arrest of accomplices.

“Interpol and Europol are not always told what’s going on with national efforts; that’s where things might go slightly awry. And it shows really that perhaps more of the coordination role – the sorts of things that Interpol, Europol and Ameripol do, actually – it would be really good if there was a bit more of … sharing what operations were going on,” Woodward says. “But of course, the fear is, the more information you share … the more likely that it might leak out and the criminals get a head start and can get away.”

A competitor of Group-IB – U.S. threat-intelligence firm Intel417 – criticized Group-IB for publishing its report. Intel417, together with FireEye’s Mandiant, was among the security firms that shared intelligence with the FBI. Intel417 has accused Group-IB of releasing its report “for publicity and marketing under the guise of supporting the greater good.”

Research Versus Marketing

Where is the line between research and marketing?

For starters, it’s important to note that cybersecurity research has been a force for good. In an interview at Black Hat Europe in London in December 2019, Jake Williams, who heads cybersecurity consultancy Rendition Infosec and previously served as a network exploitation operator with the U.S. Department of Defense, told me that the move in recent years by private cybersecurity firms to publicly document how advanced attackers were hacking into organizations’ networks was a watershed. Threat intelligence firms releasing in-depth research into how alleged Russian hackers hit the U.S. Democratic National Committee and how alleged Chinese hackers hit the Office for Personnel Management has been instrumental in helping cybersecurity professionals learn how to better defend their organizations. Organizations can build on each other’s research as well as collaborate (see: Cybersecurity Defenders: Channel Your Adversary’s Mindset).

But when weighing how research might also serve a cybersecurity firm’s marketing needs, the picture is complicated by years of underinvestment in law enforcement, says Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting and serves as a cybersecurity adviser to Europol.

“In the past, many governments viewed cybercrime as an IT problem,” says Brian Honan, CEO and principal consultant at BH Consulting.

“What we are experiencing today is the result of successive governments in many countries not investing or resourcing law enforcement agencies to tackle the growing threat of cybercrime,” Honan tells me.

“In the past, many governments viewed cybercrime as an IT problem rather than a societal one, and therefore it was something better left to the IT industry to address. As a result, many cybersecurity companies have more staff – and can pay those staff better than if they joined law enforcement – and more resources to investigate cybercrime than many police forces do,” Honan says.

Hence, many law enforcement agencies rely heavily on private cybersecurity firms to help them build cases. “However, it is now getting to the stage where research by private companies is becoming not only a tool to tackle those behind cyberattacks, but also a key marketing tool in many companies’ arsenals,” he says. “This can lead to the race for private companies to get their research published for marketing gain, and is something that could potentially undermine or conflict with law enforcement investigations.”

But he adds: “Governments are now taking the threat from cybercriminals more seriously and rightly recognize it to be a societal and economic threat rather than an IT problem.” So they’ve been putting in place better information sharing arrangements. “We need to continue to build on these public/private cooperation models, to lobby governments to properly fund and support law enforcement cybercrime agencies, and to push for better international legal frameworks to support the fight against cybercrime.”

Fxmsp Case

In the case of Group-IB’s report, no one is questioning its technical bona fides. Per the U.S. indictment, the firm named an individual that the the FBI also thinks is Fxmsp.

“Our research was primarily focused on examining the threat actors’ activities and TPPs [techniques, tactics and procedures] with the aim to provide businesses with comprehensive recommendations on how to avoid attacks similar to those conducted by Fxmsp,” Group-IB CTO Dmitry Volkov tells me.

In addition, the report was published more than a year after Fxmsp appeared to have gone quiet in May 2019, when the group’s attempt to sell access to three anti-virus vendors’ networks and their source code was outed by New York-based threat intelligence firm Advanced Intelligence, in its own report. It appears to have driven Fxmsp off of the cybercrime forums it relied on to market its wares (see: Fxmsp Hackers Behind AV Source Code Heist: Still Operating?).

Add this geopolitical wrinkle: Kazakhstan has no extradition treaty with the U.S., which may explain why Turchin hasn’t yet appeared in an American courtroom 18 months after being indicted. Perhaps the FBI was hoping he’d vacation in a country that’s friendly with the U.S., so the bureau could nab him (see: Hackers’ Vacation Plans in Disarray After Prague Arrest).

What more might Group-IB have done? “In this case, they did ask [law enforcement] – not that they need permission – but as it turns out, the guy was already aware, and I don’t think it did any real harm or damage to the case,” Woodward says.

Updated Joker Android Malware Adds Evasion Techniques

Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Malicious Code Hid Within Apps Posted to Google Play Store

Updated Joker Android Malware Adds Evasion Techniques Wallpaper apps hid Joker malware (Source: Check Point Research)

Check Point Research reports that a new version of the Joker mobile malware that infects Android devices has emerged. The malware, hidden in apps in the Google Play store, has once again evaded Google’s security tools.

See Also: Leaky Mobile Containers Pose Severe Risks to E-mail and other Business APPS

Researchers found the malicious Joker code hidden within 11 seemingly legitimate apps. Google removed all of the apps – including benign-looking game and wallpaper apps – by April 30 after it was notified by the researchers, according to the Check Point report.

The Joker malware, also known as Bread, has been active since at least 2017, although it has become more prevalent over the last year. The malware has the ability to steal SMS messages, contact lists and device information from infected Android smartphones. It also automatically signs up victims for premium services from various websites, according to Check Point.

Back in January, Google announced that it had removed about 17,000 apps from its official store that were used to help distribute this malicious code.

After those apps were discovered, the operators behind Joker apparently changed tactics to get their malware back into the Google Play store, according to Check Point.

“Joker, one of the most prominent types of malware for Android, keeps finding its way into Google’s official application market as a result of small changes to its code, which enable it to get past the Play Store’s security and vetting barriers,” analysts Aviran Hazum, Bogdan Melnykov, and Israel Wernik write in their report.

Adopting New Techniques

The Check Point researchers found that the operators behind Joker adopted several techniques previously used to infect Windows-based devices and evade security tools.

The Joker gang manipulated two key features – the Notification Listener Service in Android and a dynamic DEX file. These were then used to register the victimized user for the unwanted premium services, according to the report.

In the 11 infected apps that Check Point recently found, the malware developers hid a malicious DEX file – a Windows developer feature – within the Android Manifest file, according to the report.

“In an attempt to minimize Joker’s fingerprint, the actors behind it hid the dynamically loaded DEX file from sight while still ensuring it is able to load – a technique which is well-known to developers of malware for Windows PCs,” the researchers note in their analysis.

The Android Manifest file, which acts as a directory, is used in every Android app. It contains essential information about each app, such as what permissions the app will need once it’s installed, and is used by the Google Play store to ensure the legitimacy of each app before it’s posted, according to the report.

The operators loaded the malware into the DEX file using Base64 encoded strings to hide the malicious code and then inserted that file into the app’s Android Manifest. This way, the malware could stay dormant and hidden until Google approved the app for the store, the researchers say.

“The malware does not need to access a [command-and-control] server, which is a computer controlled by a cybercriminal used to send commands to systems compromised by malware, to download the payload, the portion of the malware which performs the malicious action,” the researchers note.

Once the approval process was complete and the app was posted in the official Google Play Store, the Joker malware then contacted the command-and-control server and began receiving instructions after victims downloaded the app, according to the report.

Targeting Google Play

While Google has put more money and effort into securing its app store, fraudsters and hackers keeping changing their tactics to get malicious apps posted on the platform.

Malwarebytes recently reported fraudsters were able to insert a Trojan called Cereberus into the Play Store by hiding it within a money converter app. Since March, the app was downloaded some 10,000 times by users, mainly in Spain (see: Cereberus Banking Trojan Targeted Spanish Android Users).

In other cases, researchers have found malicious code within the Google Play Store that was then used to create botnets from infected Android devices (see: Botnet Watch: Anubis Mobile Malware Gets New Features).

Continuous Lifecycle Online is this Thursday: Get your ticket while you can, and tune into these fantastic sessions

Event Our annual Continuous Lifecycle London conference is online for 2020 – but that doesn’t mean it’s lacking whatsoever, and will be packed with the high-quality content you’ve come to expect.

Continuous Lifecycle Online is taking place this Thursday, July 15, and starts at 0900 BST (1000 CEST). Tickets are still on sale. Act fast: there are just days left to register.

The conference schedule is a veritable banquet of containerisation, DevOps, and compliance conversations, put together directly in response to your most pressing concerns in continuous-lifecycle management.

From deploying containers to delivery pipelines, security to compliance, and monitoring diverse setups and the architecture required to run them, no topic is too big or too specific. On top of that, a special emphasis will be placed on communicating with you – the audience – and addressing your questions and thoughts as a priority.

To deliver the day’s keynote, we’re delighted to be joined by Liz Rice, VP of open-source engineering at container security experts Aqua Security and the Cloud Native Computing Foundation’s technical oversight committee chair.

As a big fan of Kubernetes and security, there is little Rice couldn’t tell you about using containers across distributed systems, and with a professional background in architecting portable network stack implementations, and coding those implementations cleanly, Liz’s session promises to start the day with a bang.

Look forward also to a scintillating case study from Luke Blaney, principal engineer at the Financial Times. Blaney will explain how the newspaper’s reliability team was tasked with improving operational resilience across the FT, as well as reducing duplication of technology effort generally throughout the entire organisation.

Meanwhile, Skyscanner’s principal engineer Nicky Wrightson will explain how the company has ditched “low,” non-production environments in favour of only running bona-fide production environments. This means that development, testing, staging, pre-production, and other traditionally non-prod areas now form part of more distributed, complex, and larger systems to move things along quicker. But how does Skyscanner maintain quality and confidence while working in such an ambitiously fluid environment?

To answer this question – and many more besides – you’ll have to tune into Continuous Lifecycle Online, bright and early on July 15. Tickets are only £120 – get yours now and we’ll see you on Thursday.

The world’s nonsense keeping you awake in middle of the night? Good news. Go outside and see this two-tail comet

A two-pronged comet with billowing tails of gas and dust will streak across the sky this month.

If you’re in the northern hemisphere, and gazing up at the right moment – around 4am local time, July 10 to 15, looking northeast; and potentially an hour after sunset, July 14 to 23, looking northwest – you should catch a glimpse of the comet, C/2020 F3 NEOWISE. And local time really does mean the time wherever you are.

The glowing lump of ice and rock was discovered by NASA’s Near-Earth Object Wide-field Infrared Survey Explorer (NEOWISE) probe on March 27 – hence the name. Astronauts onboard the International Space Station also clocked the comet.

A diagram showing where to look in the sky to see comet C/2020 F3 NEOWISE

Read the directions … When to expect the comet when looking northeast. Click to enlarge. Source: Sky & Telescope. Used with permission

Solar radiation vaporizes the ice in the comet’s nucleus. Gas and dust are freed as a result, and it all forms a cloud, or coma, around the comet’s body as well its two tails. One of the tails contains ionized gas, and the other, brighter, one is made up of dust. The comet made its closest approach to the Sun on July 3. Now, it’s making its way towards Earth and will eventually cross our planet’s orbit and return to the outer edges of our Solar System by August.


Go west … When to expect the comet when looking northwest. Click to enlarge. Source: Sky & Telescope. Used with permission

The best chance of seeing the comet is a few hours before sunrise until about July 14. Find some place with a good open view of the sky and not too much light pollution. It’s best viewed with a telescope or binoculars, though the naked eye may do just fine. After July 14, you can look for it after sunset though bear in mind it may be too faint for the naked eye.

The trick to finding the comet is to locate Venus, the brightest planet in the eastern direction. After you’ve spotted Venus, find the star Capella… or use one of those free sky-mapping apps for smartphones.

“Look far to Capella’s lower left, by somewhat more than the width of your clenched fist at arm’s length,” Diana Hannikainen, observing editor of Sky & Telescope, America’s venerable astronomy magazine, said this week. That’s roughly the spot where the comet will be.

It will appear in the sky as a fuzzy ball of light with a bright streak. “Across the same latitude, observers in both the US and the UK will see the same thing,” Hannikainen told El Reg.

“The difference in what viewers will see of Comet NEOWISE depends more on latitude than on longitude. For the UK, the comet is ‘circumpolar,’ which means it doesn’t set.

“Nevertheless, the best viewing options in the UK are similar to [the US]: for the next few days, the best sights of the comet are those early in the morning, before the Sun rises, while after 14 July or so, the comet will be better placed in the evening, while still remaining visible throughout the night until dawn.”

To find the comet in the second half of this month, look for the Big Dipper stars in the Ursa Major constellation, and search just below it, though, again, you may need some equipment to see it.

The comet will pass by Earth no closer than about 64 million miles (103 million kilometres), and is estimated to measure about three miles (five kilometres) across. ®

An email banning our staff from using TikTok? Haha, funny story about that, we didn’t mean it – Amazon

Amazon today said an internal email banning its staff from using TikTok on smartphones connected to their corporate inboxes was sent in “error.” The admission – or climb down, depending on how skeptical you are – came after the memo was obtained and leaked by journalists.

The internet giant’s IT department sent a note to some workers on Friday telling them to remove the Chinese video-sharing app from their mobile devices for security reasons, or lose access work emails from those devices, the New York Times first reported. TikTok, owned by Beijing-based ByteDance, not only collects a lot of telemetry about your phone, we note, it is feared the Chinese government can secretly subvert the stupidly popular software to spy on the West.

After the email leaked, Amazon’s spinners responded with the slightly ambiguous statement: “This morning’s email to some of our employees was sent in error. There is no change to our policies right now with regard to TikTok.”

The cynical among you may be thinking TikTok was already banned from work mobile devices, and will stay banned, and that the “error” was to suggest the policy was new. However, the now-retracted morning memo stated TikTok “was no longer permitted on mobile devices” though it could still be used from a work laptop. So what Amazon’s trying to say now is that it was wrong to ban TikTok from mobile devices: its policy is that it’s OK to use the software on phones used for work email. A second message was sent to staff informing them of the situation.

We also note Amazon Prime Video was advertising on TikTok as recently as April, so perhaps someone got trigger happy in IT and marketing revolted as they would lose access to their portal to the world’s youth. Or perhaps Amazon did a 180 after the email leaked to avoid controversy. Or perhaps because it makes little sense to ban the application from phones but leave it on work PCs. Also, the policy hasn’t changed right now though it may do in the near future?

Amazon declined to elaborate.

family glued to various devices...

TikTok boom: Brits spent a quarter of their waking hours in lockdown online – Ofcom


“User security is of the utmost importance to TikTok – we are fully committed to respecting the privacy of our users,” a TikTok spokesperson told El Reg. “While Amazon did not communicate to us before sending their email, and we still do not understand their concerns, we welcome a dialogue so we can address any issues they may have and enable their team to continue participating in our community.

“We’re proud that tens of millions of Americans turn to TikTok for entertainment, inspiration, and connection, including many of the Amazon employees and contractors who have been on the frontlines of this pandemic.”

Meanwhile, the US government believes the app, which has been downloaded more than a billion times worldwide, could be commandeered by the Chinese government to snoop on people. American soldiers were banned at the turn of the year from using TikTok after top brass branded it a “cyber threat.” The US Secretary of State Mike Pompeo told Fox News this week the Trump administration is “certainly looking” at banning TikTok in the States, citing national security concerns.

Next, US bank Wells Fargo told its staff who installed TikTok on their work devices to remove the software for privacy and security reasons, The Information reports.

And finally, India’s army this week directed troops to remove 89 social media and dating apps from their cellphones, including TikTok and Facebook – though bear in mind, India outlawed 59 Chinese apps last month, including TikTok. Chinese and Indian soldiers are clashing along the Line of Actual Control, a region that marks the borders of both countries, so that explains India’s decision to banish the Chinese software. But what about Facebook?

“In view of the exponential increase in the number of cases being targeted by hostile intelligence agencies and existing vulnerabilities, the use of Facebook accounts by Army persons is banned,” the Indian Army said, according to India TV News.

“Hence, the existing accounts are required to be deleted and not left deactivated. Any service persons found on Facebook/using banned sites post-July 15 will be reported.” ®

Cyber Command’s measure of success? Outcomes

A U.S. Cyber Command official said that when they examine whether any given operation or even when a strategy has been successful, they’re not looking at metrics, but rather outcomes.

“It’s really about: have we enabled the collective defense of the nation,” Maj. Gen. John Morrison, Cyber Command’s outgoing chief of staff, told C4ISRNET in a July interview.

Roughly two years ago, Cyber Command and the Department of Defense started a paradigm shift for cyber policy and operations. The 2018 DoD cyber strategy tasked Cyber Command to “defend forward,” which is best described as operators working on foreign networks to prevent attacks before they happen. The way Cyber Command meets those goals is through persistent engagement, which means challenging adversary activities wherever they operate.

Two years later, what does persistent engagement and defend forward mean? (Patrick Semansky/AP)

Two years later, what does persistent engagement and defend forward mean? (Patrick Semansky/AP)

Part of the need for a change was that adversaries were achieving their objectives but doing so below the threshold of armed conflict – in the so-called gray zone – through cyberspace. DoD wanted to stop that from happening through more assertive cyberspace action.

Some in the academic community have wanted to see some way in which the command can measure the success of these new approaches. But Morrison explained that these outcomes, or intended effects during operations, could be enabling other partners – foreign or other agencies within the U.S. government – to take action in defense of the nation.

For example, he said that when Cyber Command teams encounter malware they haven’t seen before, they share it with partners in government, such as FBI or DHS, which can lead to the greater national collective defense.

He also noted that building partnerships enables a sense of collective defense in cyberspace and can help significantly in the future against sophisticated adversaries.

Department of Defense leaders said a new cyber strategy could help lead to better protection of the United States from cyberattacks.(Justin Sullivan/Getty Images)

Department of Defense leaders said a new cyber strategy could help lead to better protection of the United States from cyberattacks.(Justin Sullivan/Getty Images)

Morrison will be replaced at Cyber Command by Maj. Gen. David Isaacson. It is unclear where Morrison is headed next.

The need for flexibility

As Cyber Command has gained more authorities in recent years, it has been able to conduct significantly more operations and different types of operations as well, Morrison said.

Throughout these missions, leaders have learned they must be flexible, be it in tactics, structure of teams, or the capabilities they need or develop.

“We have thinking adversaries that we go against every single day. That drives us to change how we operate,” Morrison said. “You change your tactics, techniques and procedures but that’s also going to drive changes in how we train and what we train … It drives how we do capability development and development of capabilities and the employment of those capabilities, which again ties back to training at a much faster pace in this space.”

Morrison noted that this includes how teams are organized. He explained the way defensive cyber protection teams were first envisioned when they were created in 2012-2013 is not at all how they fight now.

To keep up with dynamic adversaries, Cyber Command is keeping closer watch on readiness metrics developed by the command for its cyber teams. This is a framework that details standards for how teams are equipped, manned and supplied. Cyber protection teams were detailed first and now Cyber Command has readiness metrics for combat mission teams, the offensive teams that support combatant commands, and intelligence/support teams. Officials are still working through metrics for what are called national teams that are charged with defending the nation.

The command also needs to improve the way it feeds operational requirements into capabilities cyber warriors can use, Morrison said. This includes improving acquisition practices for both of the programs of record Cyber Command is executing through its Joint Cyber Warfighting Architecture — which guides capability development priorities and includes the Unified Platform and Persistent Cyber Training Environment — and the more rapidly developed tools needed on the fly.

“That’s where you’ve got the ability inside the command now to rapidly produce that capability through a variety of means and get it into the hands of our operators as quick as possible,” he said.

In fact, the Army has begun to embed tool developers and coders alongside operators through the Rapid Cyber Development Network to more quickly meet urgent needs. This allows them in almost in near real time to develop or change tools to meet requirements.

“How do we do capability development in a much smoother fashion than we sometimes do today where we’re able to rapidly assess, prioritize, resource operational requirements to produce a capability that we can then get back into the hands of our operators as quickly as possible,” Morrison said.

From these capabilities that are developed for shorter term needs, he said the key will be deciding if they want to move them into a program of record. Will it be a longer term capability, will it adjust tactics, techniques and procedures or training?

“We’ve got to work those pieces,” he explained.

On the longer term, program of record capabilities, he noted officials still want the iterative development associated with more software-centric systems as opposed to more traditional military hardware.

Integration with combatant commands

Cyber is much more ingrained in military planning and operations than it was in years prior, Morrison said, however, work remains.

There is now a closer link between the combatant commands and Cyber Command elements that plan, coordinate, synchronize and conduct cyber operations on their behalf, Morrison said, noting that they are still maturing.

These include the Joint Force Headquarters-Cybers‚ which are commanded by each of the service cyber component commanders, and plan, synchronize and conduct operations for combatant commands they’re assigned to, and new entities being created called cyber operations-integrated planning elements. These are forward extensions of the Joint Force Headquarters resident within the combatant commands to better coordinate cyber planning with other operations for the combatant commander.

These entities all enable a greater central connective tissue from a Cyber Command perspective as they can feed from the theater level back to the command providing a global cyberspace picture.

“You have to take not only a regional view of anything that you’re doing, but, when you can bring the power of a global enterprise behind it, that’s a pretty powerful capability for our nation,” Morrison said. “We are in the process of building every one of our CO-IPEs but I definitely think that we are heading in the right direction, especially as [the CO-IPEs] get built and they integrate closer and closer with their supported combatant commands.”

If at first you don’t succeed… Rackspace files IPO papers to go public once again, hopefully with better timing

Almost six years after going private, Rackspace is once again dipping its toes into the public market by filing for an IPO in the US.

The cloudy biz’s stock market debut was in August 2008 – yeah, not great timing – and its shares lost about a fifth of their value. In 2016, private equity group Apollo Global Management coughed up $4.3bn to take the bit barn landlord private again, laid off some staff, saw it changed CEO a couple of times, and made acquisitions and adjustments to shift Rackspace into a cloud service company. We’ve heard rumors the outfit this month made some of its EMEA staff redundant, moving the jobs to India.

“Rackspace Technology has applied for listing its common stock on the Nasdaq Global Select Market under the ticker symbol RXT,” it said in a statement today. (FYI: Rackspace used to be trade on the New York Exchange as RAX). “The number of shares to be offered and the price range for the proposed offering have not yet been determined.”

Rackspace technology new logo

Rackspace changes name to – drum-roll please – ‘Rackspace Technology’


That valuation will be key. Early reports suggest the company is dreaming of a market cap of $10bn, which seems high for a sub-tier-one player in the cloud management sphere, particularly because Rackspace Technologies, as it has been known since June, has a huge debt pile left over from Apollo’s leveraged takeover.

The coronavirus pandemic may have been a big boost to Apollo’s plans to take Rackspace public, since the huge bump in locked down home workers has seen the demand for cloud-provisioned systems grow rapidly.

“Work-from-home business expansion is likely to continue for the next few quarters but it’s hard to see it supporting a long-term growth strategy,” Charles King, founder of analyst house Punt-IT told The Register.

“In addition, most other hosting services and cloud players are aiming at that same demographic so the competitive landscape for Rackspace looks pretty fierce.”

Investors may also be encouraged by the strategic collaboration agreement Rackspace signed with cloud behemoth AWS on Wednesday. The deal will open up new global markets for Rackspace services around the world, piggybacking off AWS.

“By strengthening our relationship with AWS, our preferred cloud provider, it makes it easier for our customers to accelerate the value they realize from the cloud,” said Matt Stoyka, chief solutions officer at Rackspace Technology.

“AWS continues to innovate its cloud solutions and we are pleased to enter into a Strategic Collaboration Agreement to bring these solutions to our collective customers.”

A full valuation of the company is expected shortly, no date has been set for the IPO, and it’s subject to regulatory approval. Goldman Sachs will handle the share issue. ®

Spotted the ISS in the sky yet? How about pulling out some spare kit and giving it a listen?

Got plans for the weekend? No? How about pulling that Pi out of the drawer or dusting off an old laptop and getting ready to grab some images from the ISS, courtesy of locked-down European Space Agency (ESA) boffins.

Test image from the ISS (no transmissions until late July/August)

Decoded image of a test transmission using the same mode the ISS will use – there won’t be any actual transmissions until late July-August … Source: One of our Windows PCs

Demonstrating what engineers and scientists get up to when they are riding out the current pandemic in their homes, the ESA team has put out a series of tutorials for Windows 7 and 10, macOS, iOS and Android, Ubuntu, and, of course, the Raspberry Pi, on how to pick up and decode Slow Scan Television (SSTV) transmissions from the orbiting outpost.

Those hoping for the latest and greatest HD video should look away now: think more ZX Spectrum loading screen than Netflix 4K cinematics.

Naturally, we had a crack at making it work (using the Windows 10 instructions) and succeeded in viewing the test image after delving into the dark arts of the Windows sound mixer. Pay close attention to the instructional video on setting up the Stereo Mixer (we didn’t).

The system makes use of the Web Software Defined Receivers (WebSDR) scattered around the world, which allow multiple users to listen in and tune the receiver simultaneously. The audio generated can then be piped into a SSTV decoder (ESA directed us to RX-SSTV, which will have a crack at rendering an image).

Guinevere gets a clean

Suffering satellites! Goonhilly’s ARTHUR REBORN for SPAAAACE


The example cited for a WebSDR by ESA is the one hosted at Goonhilly Earth Station in Cornwall, which allows users to listen in on the 144 – 146MHz VHF band. ISS voice and data starts at 145.800MHz, but only if the station is actually transmitting and in range of the station.

Helpfully, the WebSDR gang supplies a list of connected receivers around the world, and tracking the location of the ISS is relatively simple.

Sadly, there isn’t a schedule for when the ISS will be transmitting its SSTV data. Amateur Radio on the International Space Station (ARISS) maintains a blog of events but making things work relies on slotting the task into crew time.

SSTV has a long history, and was used by the Soviet Luna 3 probe to transmit images from the far side of the Moon. A variant also saw action in the early days of the Apollo program. The modern incarnation is used by amateur radio enthusiasts to send and receive static pictures in colour or monochrome via audio tones.

ESA said it anticipates the next broadcast from orbit will take place in the coming week or so, to mark the 45th anniversary of the Apollo-Soyuz Test Project.

This should give hobbyists plenty of time to tinker with software receivers or maybe even set up their own. And, in the case of Windows 10, deal with those pesky sound settings that Microsoft insists on hiding in the operating system. ®

Android 11 will let users stop device-makers from killing background apps, says Google

Android 11 Beta 2, out this week, is a fairly modest update, focusing primarily on stability and bug fixes. But behind the scenes there are strong indications that a broader shift is afoot, with Google trying to address overall ecosystem inconsistencies that have formed since its initial release.

The biggest clue comes from an official Reddit post by Android’s engineering team, who said the upcoming version of the mobile platform will finally address a major OEM excess: background app restrictions.

Android allows vendors to set their own background policy, choosing when to kill processes running in the background. As you’d expect, the actual execution varies wildly between OEMs. It is a fragmented space: running on multitude of different devices, under various manufacturer skins, or even as forks, such as Amazon’s Fire OS.

One site, Don’t Kill My App, tracks policies between manufacturers. Chinese manufacturers — like OnePlus and Huawei — are the most aggressive. Google’s own-brand Pixel and Nexus devices, as well as those from Nokia and Sony, are the most laissez-faire.

But it matters, because background kills can have drastic implications, including notifications being delayed and apps misbehaving.

Writing in an AMA, the Android engineering folk described background kills as a “complicated topic,” itself compounded by the extensive independence enjoyed by manufacturers.

“We are updating the Compatibility Definition Document (CDD) for Android 11 to make sure device manufacturers are alerting users of app restrictions in a timely manner,” they said. “Not only does this help educate users about what is happening to their apps, but it also allows users to override the restriction if they choose to.”

Vendors will also be prohibited from exempting apps from their “background kill” policy, which Google claims harms the ecosystem and “decreases innovation.”

android logo

Commit to Android codebase suggests Google may strong-arm phone makers into using ‘seamless’ partitioned updates


Developers will also be able to check why their app was terminated, via a new API. This will allow them to determine whether a process was killed because of a device’s background restrictions, or for another reason, like a crash.

Google ssaid these measures “don’t solve everything,” but reckoned it remains an ongoing concern, and it will continue to try and balance the needs of users and vendors.

This isn’t the only move from Google to address platform inconsistency. Previous commits to the Android codebase indicate the Chocolate Factory may force vendors to support “seamless” A/B Updates: a feature that sees updates staged across partitions, allowing for easy error recovery, and thus, easier deployment.

Although this feature has appeared on all versions of Android since 7.0 Nougat, it has been up to OEMS whether they use it. Android 11 appears set to change that. ®

Rip and replace is such a long Huawei to go, UK telcos plead, citing ‘blackouts’ and ‘billion pound’ costs: Are Vodafone and BT playing ‘Project Fear’?

Analysis The caution couldn’t be more stark. In a meeting with the Commons Science and Technology Select Committee yesterday, execs from BT and Vodafone warned UK lawmakers that a deadline of 2023 to remove Huawei-made equipment from their networks will result in multi-day mobile signal losses for some customers.

“To get to zero in a three-year period would literally mean blackouts for customers on 4G and 2G, as well as 5G, throughout the country,” claimed Howard Watson, chief technology and information officer of the BT Group, and a 40-year veteran of the telecoms industry.

He said BT would need at at least five years to expunge Huawei from its infrastructure, “anything less than that, we would have to stop doing 5G”.

Vodafone, which uses Huawei’s infrastructure in its 2G, 3G, 4G, and 5G networks, made a similar case.

Echoing those concerns, Andrea Dona, head of networks at Vodafone UK, warned that customers would lose their signal, “sometimes for a couple of days, depending on how big or how intrusive the work to be carried out is.” Like Watson, Dona has a similarly storied CV, having previously held leadership roles at Ericsson and T-Mobile.

She said Vodafone would also need to “slow down our 5G deployment” if demands to replace Huawei in “very tight time” were made. Dona said Vodafone would not have the manpower to perform this engineering task, would need to recruit and felt five to seven years was more reasonable.

The comments made by Vodafone and BT, which had both been contacted by the Committee for comment, are yet another cliffhanger in the Huawei omnibus, the latest episode of which sees the Chinese networking bogeyman at risk of losing its UK empire as a direct consequence of the ongoing US sanctions.

Earlier this month, Oliver Dowden, Secretary of State for Digital, Culture, Media, and Sport told LBC Radio that the “reliability” of Huawei was now in question. The government is expected to make a decision later this month on whether it will compel networks to remove Huawei-made equipment in its entirety.

“In relation to Huawei, we’ve had these US sanctions that were imposed a couple of months ago. I’ve asked the National Cyber Security Centre to analyse the impact of them,” Dowden told LBC’s Nick Ferrari this week.

Philip Jansen, chief exec, BT plc. Pic: BT

BT: UK.gov ruling on Huawei will cost us half a billion pounds over next 5 years


“It seems likely they’re going to have a significant impact on the reliability of Huawei. I’ve just received that advice. I will be discussing that with the prime minister [Boris Johnson] and if there’s any change of policy arising from it I will make an announcement.”

No formal declaration

The government is yet to formally announce any decision. Nor has it announced a timeframe. However, there is an expectation that carriers would be given a three-year deadline. Although this is crushingly short (Watson and Dona suggested five or seven years would be required to complete the work), it would conclude before the UK’s 2024 general election, and thus be immune from the usual party-political interference.

While this is (obviously) dire for Huawei, it’s also potentially hugely damaging for networks. Remember: Huawei has operated in the UK for 20 years. Most domestic networks — fixed or wireless — have drunk from the firm’s trough in that time period, tempted by equipment that was said gto be cheaper and better than the equivalents from Nokia, Ericsson, and Samsung, amongst others.

Speaking to The Register, analyst Paolo Pescatore of CCS Insight highlighted that most UK providers have developed an intimate relationship with Huawei, elevating its equipment to a high level of importance. But as time as dragged on — and as Beijing has evolved into a greater geopolitical foe for the West — that relationship has developed into something of a double-edged sword.

In his testimony to the committee, Dona claimed that Vodafone would have to spend “single-figure billions” to replace Huawei’s equipment from its network. The firm previously said it would cost €200m to remove Huawei from its European core networks. That’s without factoring in the non-core RAN.

EE 5G at St Paul's

UK to Chinese telecoms giant: From 5G in Tiree to the Isles of Ebony, carry me on the waves… Sail Huawei, sail Huawei, sail Huawei


BT — historically one of Huawei’s biggest UK customers — claims it would spend £500m just to meet the government’s previous limit of 35 per cent “high risk” equipment in non-core networks.

And, as Huawei has repeatedly protested in recent months, any rip-and-replace mandate would consume the attentions of the UK’s telcos, ultimately slowing the deployment of 5G and other related technologies — like 5G standalone (SA). As one industry insider told the BBC, it would be “like doing heart surgery in the middle of a marathon.”

Echoing that sentiment, Victor Zhang, vice president of Huawei, told The Register: “Huawei’s main priority has always been to provide the mobile networks with world-leading technology so they can keep the British people connected 24/7, especially during this difficult time. The UK government should not make a hasty decision without all of the evidence. The 5G decision is vital to the UK’s ‘Gigabit’ strategy and the future of its digital economy.”

In short, BT and Vodafone have lots to lose from a wholesale Huawei ban. On a very basic level, it would put them at a steep competitive disadvantage, particularly when compared to rival carrier O2, which has largely shied away from Huawei in favour of kit from Nokia and Ericsson, and as such would be allowed to operate without any onerous restrictions.

But there’s an argument to be made that because BT and Vodafone have the most to lose, they’re incentivised to exaggerate the potential consequences.

One analyst, John Stand of Strand Consulting, has argued that the figures provided by BT and Vodafone don’t match the amount historically spent on “high risk” kit from ZTE and Huawei. (China’s ZTE is already banned from the UK, and was also included in the category of “high risk” vendors.)

He also said that much of the existing Huawei-made kit was already due to be refreshed, as it had reached its lifespan. The figures cited by BT and Vodafone represented money that had to be spent anyway, he claimed.

The cost, however, will not be merely derived from acquiring new hardware, said Gartner’s senior director of research Sylvain Fabre. Migrating network and customer data will take time (and thus, money), and telcos will also be on the hook for training engineers to manage and deploy the replacement hardware.

“For a new vendor, or when swapping kit, engineers need to qualify on the kit,” Fabre explained.

Strand also argued that any downtime would make BT look poor compared with its regional competition, all of which face pressure to replace equipment from Huawei with alternatives perceived to be “safer.”

While this may be true, Gartner’s Fabre pointed out that there’s a lot networks can do to avoid disruption.

“The risk for outages can be minimised by dealing with limited sections of the network at a time, in the hours of low use (nighttime maintenance window) and with a roll back procedure as a backup in case of issues,” he said. ®

Tony Blair tells Russian infosec conference that cross-border infosec policies need more gov intervention

Former UK prime minister Tony Blair has declared that governments can’t “take 10 years to catch up” with cyber crims – while speaking at an infosec conference organised by Vladimir Putin’s favourite Russian bank.

The former Labour leader told Sberbank’s Cyber Polygon webinar that the speed of tech advances over the past 20 years have left governments floundering to keep pace.

“Technology is moving fast; the criminals exploiting it are also moving fast,” said Blair, who was prime minister between 1997 and 2007. “They’re looking to spot the opportunity and take advantage of weaknesses in the system. One of the things that should happen with this technology revolution is it also should reshape the state, how government operates, the skillset that it has, its interactions both with citizens and with the business sector.”

After leaving elected office, Blair set up a foundation bearing his name which aims to influence governments and political leaders around the world into following his brand of “third way” politics. Similar to the impact of Blair’s most well-known modern predecessor, Conservative PM Margaret Thatcher, the New Labour era of British politics saw lasting and profound changes to the face of society.

Those changes included the influence of the internet on the role that government plays in everyday society, with the infosec implications of that never having enjoyed a high profile. Blair scoffed at people with concerns about the role of the state in everyday online life, saying: “When people worry about the data they shared with governments – most people share enormous amounts of data with technology companies!”

The former PM also called for more infosec-focused regulation of globalised big businesses, telling the Russian conference: “As [concerns over privacy and data-sharing] grows in force, it’s just a statement of the obvious, you need to be able to protect people properly. I’d like to see much more cooperation on this and a much bigger attempt by businesses across national frontiers to get some common principles that they can then put forward to governments so we can regulate it properly.”

He repeated that there is a “common interest” in developing regulatory “solutions” that are “interoperable and are properly policed”.

In keeping with the conference’s cyber theme, Russian prime minister Mikhail Mishustin said – with a straight face – that online criminality was pressing the Russian authorities “to adapt policies that strengthen digital security of critical activities without undermining the benefits from digital transformation in critical sectors.” Russia features regularly, and heavily, as one of the probable originators of many state-sponsored cyberattacks against western countries.

Herman Gref, Sberbank’s CEO and someone described by the Financial Times as “a longtime Putin confidant” also revealed that so far this year, Russian banks have lost 3.5bn roubles (£39m) to cyberattacks. Sberbank itself had a controlling stake bought out by the Russian state earlier this year. Bizarrely, Putin’s official office published an ”interview “ of Gref by Putin shortly before the deal was sealed in which the Russian president didn’t seem to have much interest in the bank’s tech platform ventures (“Issuance of hunting permits is not among direct functions of a banking institution”). ®

So Darned Kind of you, Facebook: SDK bug sends popular iOS apps crashing earthwards

Those using Facebook to log into services such as Spotify on their iOS devices are having a bad Friday, as something has gone awry with Zuckerberg’s ad-slinging platform.

A glance at social media reveals a howl from those affected by the problem which appears to have started early this morning (UK time) and hit iOS devices. Those running Android seem to be unaffected.

The issue looks to be related to Facebook’s Software Development Kit (SDK), used by many popular apps, including TikTok, Tinder and Spotify. It manifests itself by the app crashing at login.

Even the likes of Call of Duty: Mobile have been unable to put a bullet in the borkage (although its players would doubtless be keen to wreak the same levels of despair caused by the failure.)

Facebook is investigating what exactly has befallen its service on iOS. Apps not dependant on it seem fine; Spotify running with an email account behaves normally, but use a Facebook login and things are less than rosy.

The Facebook app does not even need to be installed for the borkage to occur. Affected apps make use of the user’s Facebook login, which requires a call to Facebook’s servers for authentication and then… foom.

It is a reminder of the interdependence of apps with regard to authentication. While convenient for a user to just have one login to rule them all, a service failure can affect all the apps that use it.

We’ve contacted the social media giant to find out what has befallen its services and will update should we receive an explanation.

Its developer orifice, currently “investigating”, had this to say on the issue: “We are aware and investigating an increase in errors on the iOS SDK which is causing some apps to crash.”

Scant comfort for those emerging from lockdown, keen to show off their Spotify playlists to their Tinder date and record the whole event on TikTok using their shiny new iPhones.

Should have bought an Android. ®

Soft press keys for locked-down devs: Three new models of old school 60-key Happy Hacking ‘board out next month

Fujitsu has refreshed its line of iconic developer-oriented Happy Hacking mechanical keyboards.

The three latest models — all including USB-C, with two using Bluetooth — are available to pre-order today, with units shipping from July 16 across Europe (including the UK).

The first, dubbed Classic, is an update of the iconic Happy Hacking Professional keyboard, packing a USB-C. The Hybrid and Hybrid-S versions include Bluetooth 4.2, allowing users to wirelessly connect to their computers, and switch between devices with a keyboard shortcut. The latter uses a silent switch.

Happy Hacking mechanical keyboards Classic

Click to enlarge

As you’d expect, the Classic is the cheapest model on offer, with a starting price of £219.99. This comes in black and white variants, and interesting punters can choose between printed and blank keycaps (ideal for those who prefer to use esoteric keyboard layouts, like DVORAK or COLEMAC). For Bluetooth, you can expect to pay a premium, with the Hybrid costing £259.99. The Silent version is more expensive still, retailing at £299.99.

As the name implies, the Happy Hacking keyboard is aimed at the developer market, and aggressively emphasises ergonomics by reducing wrist movement to as little as possible. By design, it’s perfectly symmetrical. It also reduces the number of keys from the typical 104 to just 60. Not only does it lack the “tenkey” numberpad, it also ditches the function, navigation, and arrow keys.

Happy Hacking mechanical keyboards Classic (side view)

Classic: a view from the side

Unlike other mechanical decks — which largely use Cherry or Cherry-knockoff key-switches, with the exception of Razor and Logitech who use their own in-house ones — the Happy Hacking keyboard uses capacitive key switches from Topre.

It’s worth noting Fujitsu seldom updates the Happy Hacking keyboard, with the last proper refresh of the Professional keyboard (ie, a material change to the design) in 2006. There have been subsequent limited edition releases, as well as the inclusion of bluetooth, but we’re not counting those.

Happy Hacking mechanical keyboards Hybrid

Blue in the tooth: The wireless Hybrid version

It’s perhaps pertinent to note that since the first Happy Hacking keyboard launched in 1996, other ergonomic mechanical keyboards have entered the market, such as the ErgoDox EZ, Planck Ez, and the Matias Ergo Pro. It’ll be interesting to see how the refreshed Happy Hacking series can compete, particularly given the inherent learning curve each keyboard provides.

We mention the learning curve because a Happy Hacking keyboard should be winging its way to Vulture Central in the coming weeks. We’ll keep you posted.®

Fxmsp Probe: Feds Say Group-IB Report Forced Its Hand

Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Hacking Suspect Named in Sealed Indictment Was Independently Outed by Researchers

Fxmsp Probe: Feds Say Group-IB Report Forced Its Hand Andrey Turchin was named as likely being the hacker known as “Fxmsp” in a June 23, 2020, report released by Group-IB, which says it first informed law enforcement.

Did a private cybersecurity firm’s report into the “Fxmsp” hacking operation that deduced the identity of the group’s alleged leader disrupt a U.S. law enforcement investigation?

See Also: Live Webinar | Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response

U.S. prosecutors on Tuesday revealed that a federal grand jury had charged Kazakhstan national Andrey Turchin, 37, with five felonies tied to computer fraud and abuse, wire fraud and access device fraud. Those revelations came after a Dec. 12, 2018, indictment against him was unsealed this week at prosecutors’ request.

U.S. attorneys say the government’s investigation is continuing, and that they expect to charge more individuals in connection with the probe of Fxmsp, which they describe as being “a prolific, financially motivated cybercriminal group composed of foreign actors that has hacked, and continues to hack, the computer networks of a broad array of corporate entities, educational institutions and governments in various countries, including the United States.”

Prosecutors’ move to unseal the indictment followed Singapore-based cybersecurity firm Group-IB on June 23 releasing a report, “Fxmsp: The Invisible God of Networks,” describing the hacking group’s operations. The title echoes a marketing tagline used by one of the group’s affiliates to advertise via cybercrime forums Fxmsp’s ability to give criminals quiet, remote access to hacked networks – for a fee, of course (see: Fxmsp Hackers Behind AV Source Code Heist: Still Operating?).

Group-IB’s analysis found email addresses, domains and Jabber and social media accounts tied to Turchin that were also connected to Fxmsp. The firm concluded: “Andrey A. Turchin, born on December ***, 198***, living in Almaty, Kazakhstan (according to social media profiles, domain registration data, and the phone number), is presumably the attacker who hides under the nickname ‘Fxmsp.’ The fact that he uses the same nicknames and the common interests related to exchange platforms both confirm this.”

Group-IB says its report was designed to help organizations better protect themselves against the types of attacks waged by Fxmsp (see: Studying an ‘Invisible God’ Hacker: Could You Stop ‘Fxmsp’?).

“Our research was primarily focused on examining the threat actors’ activities and TPPs [techniques, tactics and procedures] with the aim to provide businesses with comprehensive recommendations on how to avoid attacks similar to those conducted by Fxmsp,” Group-IB CTO Dmitry Volkov told Information Security Media Group. “We do hope that our report will help prevent further victims and make its contribution to locating and arresting the threat actor hiding behind the nickname Fxmsp as well as his accomplices.”

Slogan used to sell remote access credentials stolen by Fxmsp, overlaid on a map of victims’ locations released last month by Group-IB

This isn’t the first time that research published by a private firm has overlapped with an active law enforcement investigation. Even so, Alan Woodward, a professor of computer science at the University of Surrey, says that in general, the more research being published on “the bad guys,” the better, especially if firms are also giving law enforcement a heads-up first, to help avoid disrupting active investigations.

“In some cases, the more eyes on the problem, the better,” he tells ISMG, because that approach can help build a more complete picture of criminals’ operations. He also notes, however, that such overlapping efforts increase the odds that “you’re going to run across each other, now and again.”

Prosecutors Have Indictment Unsealed

On Tuesday, federal prosecutors filed a motion to unseal the indictment against Turchin, aka “fxmsp.”

“U.S. authorities have reason to believe that Turchin is aware of the existence of pending criminal charges in the United States,” U.S. Attorney Brian T. Moran told Seattle federal court in a filing. “Given the group’s prolific nature, sophistication and notable victims, “fxmsp” and his accomplices, commonly referred to collectively as the “fxmsp” group, have been a subject of interest of cybersecurity researchers,” he added, and then referenced Group-IB’s report.

“In addition to tracking ‘fxmsp’s’ evolution and his group’s exploits and list of victims, this report publicly identified ‘fxmsp’ as Andrey Turchin, of Kazakhstan, and provided a detailed explanation of the researchers’ attribution determination,” he said. “Since its publication, various news outlets in the United States and abroad, citing the report, have published articles about ‘fxmsp’ and his identification as Turchin.” (Note: While ISMG has reported on Fxmsp, it declined to cite Group-IB’s assessment of the hacker’s alleged identity because it came from a single source.)

Source: Group-IB

As of Tuesday, Turchin remained a fugitive, with Moran telling the court that it was working with “foreign authorities and to pursue his apprehension to face charges in the United States.”

Moran told the court that the government had concluded that keeping the indictment under seal was no longer necessary, “given the unique circumstances of this matter, which include, among other things, Turchin’s knowledge of the criminal charges in the United States and his public identification as the prolific hacker ‘fxmsp.'”

On Wednesday, news site Bleeping Computer, which was cited – together with Forbes – by prosecutors as being one of the sites that named Turchin based on Group-IB’s report, reported that Turchin may now have been detained by local authorities in Kazakhstan.

In 2015, the U.S. signed a “mutual legal assistance in criminal matters” treaty with Kazakhstan, but currently there is no extradition treaty between the countries.

How did Turchin have knowledge of the sealed indictment returned against him 18 months ago? The Justice Department could not be immediately reached for comment.

But on Feb. 19, 2019, Moran submitted a motion to the court to unseal the indictment and arrest warrant issued for Turchin – aka Fxmsp, “Andej Turchin,” “Adik Dalv,” and “Vadim bld” – “for the limited purpose of facilitating arrests, extraditions, searches and interviews of existing and future defendants.”

At the time, Moran wrote that the limited nature of the unsealing was important. “Premature unsealing would create a substantial risk that the defendant and/or his co-conspirators will learn of the criminal investigation and charges and will take steps to thwart the efforts of law enforcement, alter criminal activity, evade arrest and destroy or tamper with evidence,” he told the court. “Notably, it is significant that, given the nature of the criminal conduct, the threat actors, including the defendant, are in possession of confidential victim information and are believed to have ongoing unauthorized access to numerous victim computer networks.”

Probe Led by FBI’s Seattle Field Office

Following the unsealing of the indictment against Turchin on Tuesday, the FBI’s Seattle office, which is leading the Fxmsp investigation, thanked the bureau’s British counterpart, the National Crime Agency, as well as the National Security Committee of the Republic of Kazakhstan, and two private-sector firms: Intel471 and FireEye’s Mandiant.

Other firms that contributed intelligence to the FBI included Advanced Intelligence, aka AdvIntel, which is a fraud-prevention and risk-management firm based in New York. In May 2019, the firm issued a report detailing an attempt by Fxmsp to sell alleged remote access to three anti-virus vendors’ networks – McAfee, Trend Micro and Symantec/Norton – as well as to their stolen source code (see: Crime Gang Advertises Stolen ‘Anti-Virus Source Code’).

Yelisey Boguslavskiy, AdvIntel’s CEO, has told ISMG that the impetus for his company’s report was to shine a light on Fxmsp’s operations, and drive them off of the cybercrime forums they relied on for advertising stolen access credentials for hacked networks. He says his company provided a private report with many more details to law enforcement.

“Advanced Intelligence was honored to support our nation’s law enforcement and the FBI Cyber Crime Task Force specifically with all advanced HUMINT” – referring to human intelligence, meaning insights gleaned potentially from person-to-person interactions on the cybercrime underground – “that we received in our investigation of the ‘Fxmsp’ group,” AdvIntel said on Wednesday.

While the company’s public 2019 report detailed Fxmsp’s history and operations, it did not suggest what the real-world identify of any of the group’s members might be. Yelisey Boguslavskiy, AdvIntel’s CEO, said that members of the group had been acting in publicly trackable ways as well as privately for clients.

Source: AdvIntel

“Fxmsp was acting privately – beyond forums – until May 9, 2019, when we terminated their operations,” Boguslavskiy has told ISMG (see: Hacking Timeline: Fxmsp’s Rise and Apparent Fall).

Did Report Complicate Investigation?

Eighteen months after Turchin was charged via a sealed indictment – which was not public knowledge – and 16 months after prosecutors obtained court approval to selectively unseal the indictment and arrest warrant to facilitate international arrests and extraditions, again not for public distribution, Group-IB released its report into Fxmsp.

Intel471, the cyber intelligence firm that contributed Fxmsp intelligence to the FBI and which was publicly thanked by the bureau for such efforts, suggests that by revealing the identity of Fxmsp, Group-IB’s report disrupted the active law enforcement – aka LE – investigation.

“Commercial companies outing cybercriminals for publicity and marketing under the guise of supporting the greater good and without proper coordination and deconfliction with LE is rarely constructive and often harms law enforcement efforts,” Intel471 says. “The FXMSP case serves as a lesson learned for vendors. A detailed report published by a security vendor has seemingly forced LE to unseal a criminal indictment, publicize a case and likely introduced new challenges for their investigation. We hope that in the future more companies will operate more responsibly and that buyers of security products and services factor this in when choosing who to partner with.”

Group-IB Shared Information With Authorities

But Group-IB says it fully informed law enforcement organizations prior to publishing anything, querying whether taking that step might disrupt any of their efforts.

“Ahead of making public any threat reports on cybercriminals, Group-IB contacts law enforcement agencies to make sure that such releases will not hamper any ongoing investigations, and the case with Fxmsp was clearly no exception,” a company spokeswoman tells ISMG.

“In May, the expanded version of the report about the threat actor was handed over to two international law enforcement agencies, with which the United States has ties,” the spokeswoman says. “Group-IB, in particular, provided the two organizations with the list of victims that the company was able to identify and the information which ultimately was the basis for establishing Fxmsp’s presumed identity, including his Jabber, and accounts on various underground forums. In keeping with ethical principles, neither victims nor personal information of the threat actor were included in the report’s public version.”

Group-IB says it informed the law enforcement agencies of its plan to make parts of the report public “and inquired if there were any ongoing investigations with respect to the threat actor to ascertain that the report’s publication wouldn’t do any harm to the legal proceedings.” Group-IB says the message that it received was that those law enforcement organizations “had no issues with Group-IB making the report public,” leading it to “release the report with the aim to provide businesses with comprehensive recommendations on how to avoid attacks similar to those conducted by Fxmsp.”

The Importance of Passive Tracking

Although the University of Surrey’s Woodward advocates that cybersecurity firms and researchers maintain ties with law enforcement, as Group-IB and others do, he says that law enforcement doesn’t always share information about operations they might have in progress, for fear that the information could get out. In addition, he says research published by private cybersecurity firms may later prove crucial for helping to build a case – as well as support it in court.

In this case, he doesn’t think Group-IB’s report harmed the investigation. “I’ve seen cases in the past, where various undercover operations thought they were tracking criminals, but what they were really doing is tracking other undercover operations,” he says.

“But this sort of thing, it’s not active tracking; it’s passive. You’re sort of looking at their footprints in the snow and seeing where they’ve gone and if you can put a case together,” Woodward adds. “That’s when I think it makes sense to name them, and especially in this case, they did ask – not that they need permission, but they just wanted to make sure they weren’t going to tread on any toes and that there wasn’t someone about to swoop on the guy. But as it turns out, the guy was already aware, he wasn’t going to go anywhere, so I don’t think it did any real harm.”

Cereberus Banking Trojan Targeted Spanish Android Users

Account Takeover , Cybercrime , Fraud Management & Cybercrime

Researchers: App Initially Acts Benign to Avoid Detection

Cereberus Banking Trojan Targeted Spanish Android Users The malware that Avast discovered is named after the mythical creature Cerberus (Image: Wikipedia)

A fake currency converter app in the official Google Play store, which has been downloaded more than 10,000 times since March, hid a banking Trojan and information stealer called Cerberus, according to Avast Mobile Threat Labs.

See Also: Are you using the best approach to verify customer identities?

The fake app, called “‘Calculadora de Moneda,” appears to have targeted only Android users in Spain, Avast says. Researchers determined this app managed to bypass security features embedded in the Google Play store that are designed to keep out malware.

“This banking Trojan managed to sneak onto the Google Play Store. The ‘genuine’ app, in this case, posed as a Spanish currency converter called ‘Calculadora de Moneda,'” says Ondrej David, malware analysis team leader at Avast.

On Monday, after the researchers had begun investigating the suspicious Calculadora de Moneda app, the command-and-control server associated with the malware appeared to have stopped operating, the report notes.

Avast reached out to Google to inform the company about the fake app. A Google spokesperson could not be immediately reached for comment, but and a scan of the Play Store could not locate the Calculadora de Moneda converter.

And while the Avast report noted that the app had been downloaded more than 10,000 times since March, the researchers did not note if the banking Trojan stole any credentials or data.

Over the last several months, researchers have noted an uptick in the number of banking Trojans targeting users. Analysts have found malware such as IcedID and Qbot being revamped or more widely used by malicious actors (see: Revamped IcedID Banking Trojan Campaign Uses COVID-19 Lure and Researchers: Qbot Banking Trojan Making a Comeback).

Stealth Mode

The currency converter app that Avast discovered was designed to avoid detection by both the user and Google Play Store’s security tools. When an Android user first downloaded the app, it did not immediately perform any malicious activity that would raise suspicion. Instead, it simply acted as a money converter, according to the Avast report. The researchers found that this was part of an obfuscation technique and the money converter actually acted as a dropper.

After a few weeks, the app contacted a command-and-control server operated by the fraudsters and downloaded a malicious Android application package called “Banker” onto infected devices, according to the researchers’ report.

Even when the Banker malware was downloaded, the Calculadora de Moneda app functioned as normal without any additional malicious activity, the researchers note.

“Later versions of the currency converter included a ‘dropper code’ but it still wasn’t activated initially, i.e. the command-and-control server instructing the app wasn’t issuing any commands and so users wouldn’t see and download the malware,” the report notes.

Ready to Run

After a few more weeks, the app contacted the command-and-control server for a second time. At this point, the actual Trojan – Cerberus – was downloaded to the device, and it then attempted to steal banking data and credentials from the victim, according to the report.

Once fully installed, Cerberus “sat” over the victim’s legitimate banking app waiting for the user to log into their account. The malware created a layover across the login screen of the victim’s banking app, which could then steal credentials and other data, according to the report.

In addition to stealing credentials, Cerberus could intercept and read text messages on an infected Android device, which allowed it to bypass two-factor authentication security.

The Avast researchers note that most of the Cerberus Trojans started downloading to infected devices around July 1. By Monday, however, the command-and-control server stopped functioning and the attacks appear to have stopped.

“Although this was just a short period, it’s a tactic fraudsters frequently use to hide from protection and detection, i.e. limiting the time window where the malicious activity can be discovered,” David noted in the report.

Malware and Google Play

While the security features within the Google Play store are supposed to scan and block apps that contain malware such as Cerberus, researchers have noted that fraudsters have been getting better at designing fake apps that avoid detection.

In April, for example, Kaspersky published a report that found a sophisticated spyware campaign has been targeting Android users through Trojan-laced apps in the Google Play Store that are disguised as various plugins, browser cleaners and application updaters (see: Spyware Campaign Leverages Apps in Google Play Store).

APT Group Targets Fintech Companies

Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Report: Little-Known Evilnum Group Relies on Spear-Phishing Emails

APT Group Targets Fintech Companies How a typical Evilnum attack against a fintech target unfolds (Source: ESET)

A little-known advanced persistent threat group dubbed Evilnum has been targeting fintech firms in the U.K. and Europe over the past two years, using spear-phishing emails and social engineering to start their attacks, according to the security firm ESET.

See Also: Live Webinar | Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response

In a report released Thursday, ESET researchers say the group recently expanded its targets beyond British and other European firms to companies in Canada and Australia. The report did not name any of the targeted companies.

“According to ESET’s telemetry, the targets are financial technology companies – for example, companies that offer platforms and tools for online trading,” the researchers note. “Typically, the targeted companies have offices in several locations, which probably explains the geographical diversity of the attacks.”

The APT group is believed to use a malware strain that is also called Evilnum, but is sometimes referred to as CardinalRAT and CarpDownloader, according to ESET.

This JavaScript malware was first spotted in 2018 by Palo Alto Networks’ Unit 42 and had previously targeted Israeli fintech companies. The Evilnum malware steals a wide variety of information, including customer records, credit card numbers and a device’s Microsoft license number, the report notes.

The spear-phishing emails the APT group uses attempt to infect devices with the Evilnum malware as well as other types of malicious code purchased or rented from other hacking groups.

The ESET report does not draw a conclusion as to where the Evilnum group is based. But it’s likely the threat actors have had some success targeting fintech firms since their activities began in 2018, says Matias Porolli, an ESET threat researcher.

“Judging by the fact that the attacks are targeted and the potential victims are approached with specific – not mass-sent – emails, we believe the attackers were successful in their efforts,” Porolli tells Information Security Media Group.

Infection Tactics

Evilnum’s first step is sending out spear-phishing emails to technical support representatives and account managers within the target organization with financial document attachments as a lure, the researchers note.

When the victim opens the email, a Zip archive extracts and executes a malicious LNK file – a shortcut used in Windows – that runs a JavaScript component and also displays a decoy document, the report notes.

“The documents used as decoys are mostly photos of credit cards, identity documents, or bills with proof of address, as many financial institutions require these documents from their customers when they join, according to regulations,” the report notes.

Fake documents used to help spread Evilnum malware (Source: ESET)

The ESET researchers also point out that these documents appear to be genuine and may have been collected by the threat actors from various sources to add legitimacy to their attacks.

Once the targeted victim clicks on the LNK file to view one of the documents, the malware begins to load in the background and infect their device, according to the report.

Once the attackers successfully infect devices and a network, the malware steals sensitive corporate data, such as customer lists, credit card information and other personally identifiable data, along with the firm’s investments and trading operations data, the ESET researchers report.

In the next phase of the attack, the JavaScript components deploy other malware the Evilnum operators purchased from other hackers, including code written in C# from the malware-as-a-service provider Golden Chickens, the report notes. The attackers also use Python-based tools in their toolkits, the researchers add.

While the JavaScript component acts as a backdoor and handles communications with the command-and-control server, the C# code takes on other tasks, including grabbing a screenshot whenever the mouse is moved over a certain length of time, sending system information back to the operators as well as stealing cookies and credentials. Eventually, this process will kill the malware when the campaign is complete, according to the report.

The attackers then use a number of additional Golden Chicken tools to perform anti-debugging techniques and identify anomalies in order to identify a sandbox. If one is spotted, this technique will prevent the code from executing to help prevent detection, the researchers add. These tools also help the attackers collect data from victims’ email applications and gain additional persistence, according to the report.

In the final stage of the attack, the group deploys a Python-based infrastructure to take additional screen shots, perform key-logging and collect data. The malware then snatches the device’s Microsoft Office and Windows licenses and sends them to the command-and-control server.

Rise in APT Attacks

Since the start of the COVID-19 pandemic, APT groups have turned their attention to large enterprises, security experts note.

For example, an April report from security firm Malwarebytes found that APT groups with links to China, Russia and North Korea were using new tactics to target an increasing number of victims.

In May, U.S. and U.K. authorities warned that APT groups are using “password spraying campaigns” to target medical institutions, pharmaceutical companies, universities and others conducting COVID-19 research (see: Alert: APT Groups Targeting COVID-19 Researchers).

Analysis: Monitoring the Risks Posed by Remote Workers

The latest edition of the ISMG Security Report analyzes the surge in the use of employee monitoring tools for the increasingly remote workforce.

In this report, you’ll hear (click on player beneath image to listen):

  • ISMG’s Mathew Schwartz discuss the latest employee monitoring trends;
  • ISMG’s Jeremy Kirk analyze the issues involved in sorting through more than 1,000 IoT security guidelines;
  • Attorney Sadia Mirza address the impact of the California Consumer Privacy Act now that it’s being enforced.

The ISMG Security Report appears on this and other ISMG websites on Fridays. Don’t miss the June 26 and July 3 editions, which respectively discuss keeping IoT devices secure and a progress report on digital IDs.

Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.